tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Assaf Arkin <>
Subject Re: more stuff on JAAS
Date Mon, 17 Apr 2000 23:29:51 GMT
Client-side SHA1 is fairly easy to do but requires some tricky
configuration, since not all LDAP servers hold passwords in the same
manner (they are generally prefixed with the algorithm name, sometimes
with a salt).

If I'm not mistaken DASL is the name of the secure authentication layer,
which is only partially supported today by LDAP servers. I do belive,
however, that it will become a standard feature in the future.


> IMHO, the correct solution to this is to have the SHA comparison
> functionality added to the client.  This keeps from sending the
> passwords in plain text.  True, this does not guard against
> a snoop/ dictionary crack but at least it's not in plain text.  It's
> not a very good idea to have the LDAP server perform the comparison
> unless your running your LDAP server over SSL.  This is something I've
> never done.  I've heard it's a pain, but I'll let other offer
> up their experiences on this.
> My $0.02
> Andy
> --
> --------------------------------------------------
> Andrew Libby
> Consultant
> Perfect Order, Inc
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message